E-Passports Hacked in Minutes
by: Jerry Liao
Just a couple of weeks back, the Department of Foreign Affairs announced that passports with the electronic chips (e-passports) are set to be released this coming October. This after we complied with the international requirement for a machine-readable passport (MRP) set by the International Civil Aviation Organization (ICAO).
If everything goes according to plan, Filipino travelers will now carry e-passports that can contain more information about the passenger than an ordinary passport. I heard that Filipino diplomats and officials will have their e-passport starting October and to all Filipino travelers by December. So why are we even bothering to shift from a normal passport to an e-passport? Simple – because of SECURITY.
E-Passports is a combined paper and electronic identity document that uses biometrics to authenticate the identity of travelers. The passport’s critical information is stored on a tiny RFID computer chip, much like information stored on smartcards. Like some smartcards, the passport book design calls for an embedded contactless chip that is able to hold digital signature data to ensure the integrity of the passport and the biometric data.
But have we really tested the system? Is it really full proof? Tamper Proof?
Reports indicated that test for The Times of London revealed that e-passports can be cloned and pass as legitimate documents. The Times discovered security holes in the chips and use it to clone the e-passport. Surprisingly, the cloned e-passport passed as a legitimate document when pass through a UN-approved reader software.
Security research Jeroen van Beek was able to create two fake e-passports using only publicly available code, a card reader and two RFID chips.
It took Beek less than an hour to clone the passport chips. Beek altered a baby boy’s passport chip and replace the picture with an image of Osama bin Laden. The other passport belongs to a 36-year old woman, Beek changed the picture to Hiba Darghmeh, a Palestinian suicide bomber who killed three people in 2003. Both passports passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.
Beek’s discovery is a major concern not only for preventing terrorists entry but also a concern to identity theft as well. If e-passports can be cloned, then it means sensitive data can be read and can be copied and used to clone another passport.
Another concern is the acceptance of the system. Statistics shows that of the 45 countries using the technology, only 10 have signed up for the system, and five have it implemented.
The purpose of this article is not to ridicule our agency spearheading this project but rather to inform them of the possibilities so that they may take the necessary precautions to prevent such from happening here.
And on a personal note, I have yet to see a device that was claimed unhackable to stay unhacked. Announce to the world that it is fully secure and unhackable, within minutes it will be hacked. Which leads me to say there no such thing as unhackable in the world of technology.